Engineering
Releases
News and Events

Goodbye http://repo.spring (use https)

In response to our nohttp announcement, Maven Central’s announcement, and JFrog’s announcement, beginning January 15 2020, Spring’s Maven Repository will no longer support HTTP. More concretely, http://repo.spring.io will not respond to requests. Users will need to ensure that they are using https://repo.spring.io

We are not going to redirect from http to https because it perpetuates the vulnerability. When the first request is made over http, a man in the middle (MITM) can prevent the redirect and replace the response with a malicious payload. Users that continue to use http will continue to be vulnerable to MITM attacks.

It is worth pointing out that redirecting to https is beneficial to browsers. This is because after the redirect to https within a browser, subsequent requests will then make any subsequent requests over https. The user is vulnerable in the initial request, but the number of vulnerable requests drops to just the initial requests. This can be further improved for a browser by using Strict Transport Security to eliminate any initial requests to http going forward.

The browser behavior, which preserves state, is quite different from a CLI client which will continue to request every resource over http. This is why we are not doing a redirect. We want the CLI clients to fail fast so they know they need to protect themselves.

comments powered by Disqus